[RFC,nf-next,v5,0/2] netfilter: bpf: support prog update

Message ID	1704175877-28298-1-git-send-email-alibuda@linux.alibaba.com (mailing list archive)
Headers	show Received: from out30-133.freemail.mail.aliyun.com (out30-133.freemail.mail.aliyun.com [115.124.30.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FCB94431; Tue, 2 Jan 2024 06:11:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam: AC=PASS;BC=-1\|-1;BR=01201311R141e4;CH=green;DM=\|\|false\|;DS=\|\|;FP=0\|-1\|-1\|-1\|0\|-1\|-1\|-1;HT=ay29a033018045176;MF=alibuda@linux.alibaba.com;NM=1;PH=DS;RN=13;SR=0;TI=SMTPD_---0VzmJOCt_1704175877; Received: from j66a10360.sqa.eu95.tbsite.net(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VzmJOCt_1704175877) by smtp.aliyun-inc.com; Tue, 02 Jan 2024 14:11:21 +0800 From: "D. Wythe" <alibuda@linux.alibaba.com> To: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org Subject: [RFC nf-next v5 0/2] netfilter: bpf: support prog update Date: Tue, 2 Jan 2024 14:11:15 +0800 Message-Id: <1704175877-28298-1-git-send-email-alibuda@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: <bpf.vger.kernel.org> List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org> X-Patchwork-State: RFC
Series	netfilter: bpf: support prog update \| expand [RFC,nf-next,v5,0/2] netfilter: bpf: support prog update [RFC,nf-next,v5,1/2] netfilter: bpf: support prog update [RFC,nf-next,v5,2/2] selftests/bpf: Add netfilter link prog update test

Message ID

1704175877-28298-1-git-send-email-alibuda@linux.alibaba.com (mailing list archive)

Headers

From: "D. Wythe" <alibuda@linux.alibaba.com>
To: pablo@netfilter.org,
	kadlec@netfilter.org,
	fw@strlen.de
Cc: bpf@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org,
	coreteam@netfilter.org,
	netfilter-devel@vger.kernel.org,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	ast@kernel.org
Subject: [RFC nf-next v5 0/2] netfilter: bpf: support prog update
Date: Tue,  2 Jan 2024 14:11:15 +0800
Message-Id: <1704175877-28298-1-git-send-email-alibuda@linux.alibaba.com>
Precedence: bulk

Series

netfilter: bpf: support prog update | expand

Message

D. Wythe Jan. 2, 2024, 6:11 a.m. UTC

From: "D. Wythe" <alibuda@linux.alibaba.com>

This patches attempt to implements updating of progs within
bpf netfilter link, allowing user update their ebpf netfilter
prog in hot update manner.

Besides, a corresponding test case has been added to verify
whether the update works.
--
v1:
1. remove unnecessary context, access the prog directly via rcu.
2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
3. check the dead flag during the update.
--
v1->v2:
1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
--
v2->v3:
1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
--
v3->v4:
1. remove mutex for link update, as it is unnecessary and can be replaced
by atomic operations.
--
v4->v5:
1. fix error retval check on cmpxhcg

D. Wythe (2):
  netfilter: bpf: support prog update
  selftests/bpf: Add netfilter link prog update test

 net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
 .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
 .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
 3 files changed, 141 insertions(+), 16 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c

Comments

D. Wythe Jan. 16, 2024, 1:46 p.m. UTC | #1

Just a reminder to avoid forgetting this patch by everyone.

Quentin Deslandes Feb. 14, 2024, 4:10 p.m. UTC | #2

On 2024-01-02 07:11, D. Wythe wrote:
> From: "D. Wythe" <alibuda@linux.alibaba.com>
> 
> This patches attempt to implements updating of progs within
> bpf netfilter link, allowing user update their ebpf netfilter
> prog in hot update manner.
> 
> Besides, a corresponding test case has been added to verify
> whether the update works.
> --
> v1:
> 1. remove unnecessary context, access the prog directly via rcu.
> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
> 3. check the dead flag during the update.
> --
> v1->v2:
> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
> --
> v2->v3:
> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
> --
> v3->v4:
> 1. remove mutex for link update, as it is unnecessary and can be replaced
> by atomic operations.
> --
> v4->v5:
> 1. fix error retval check on cmpxhcg
> 
> D. Wythe (2):
>   netfilter: bpf: support prog update
>   selftests/bpf: Add netfilter link prog update test
> 
>  net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>  .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>  .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>  3 files changed, 141 insertions(+), 16 deletions(-)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>  create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
> 

It seems this patch has been forgotten, hopefully this answer
will give it more visibility.

I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
with bpfilter and everything seems alright.

Thanks,
Quentin

Pablo Neira Ayuso Feb. 14, 2024, 4:41 p.m. UTC | #3

On Wed, Feb 14, 2024 at 05:10:46PM +0100, Quentin Deslandes wrote:
> On 2024-01-02 07:11, D. Wythe wrote:
> > From: "D. Wythe" <alibuda@linux.alibaba.com>
> > 
> > This patches attempt to implements updating of progs within
> > bpf netfilter link, allowing user update their ebpf netfilter
> > prog in hot update manner.
> > 
> > Besides, a corresponding test case has been added to verify
> > whether the update works.
> > --
> > v1:
> > 1. remove unnecessary context, access the prog directly via rcu.
> > 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
> > 3. check the dead flag during the update.
> > --
> > v1->v2:
> > 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
> > --
> > v2->v3:
> > 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
> > --
> > v3->v4:
> > 1. remove mutex for link update, as it is unnecessary and can be replaced
> > by atomic operations.
> > --
> > v4->v5:
> > 1. fix error retval check on cmpxhcg
> > 
> > D. Wythe (2):
> >   netfilter: bpf: support prog update
> >   selftests/bpf: Add netfilter link prog update test
> > 
> >  net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
> >  .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
> >  .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
> >  3 files changed, 141 insertions(+), 16 deletions(-)
> >  create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
> >  create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
> > 
> 
> It seems this patch has been forgotten, hopefully this answer
> will give it more visibility.
> 
> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
> with bpfilter and everything seems alright.

Just post it without RFC tag.

D. Wythe Feb. 20, 2024, 7:16 a.m. UTC | #4

On 2/15/24 12:41 AM, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2024 at 05:10:46PM +0100, Quentin Deslandes wrote:
>> On 2024-01-02 07:11, D. Wythe wrote:
>>> From: "D. Wythe" <alibuda@linux.alibaba.com>
>>>
>>> This patches attempt to implements updating of progs within
>>> bpf netfilter link, allowing user update their ebpf netfilter
>>> prog in hot update manner.
>>>
>>> Besides, a corresponding test case has been added to verify
>>> whether the update works.
>>> --
>>> v1:
>>> 1. remove unnecessary context, access the prog directly via rcu.
>>> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
>>> 3. check the dead flag during the update.
>>> --
>>> v1->v2:
>>> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
>>> --
>>> v2->v3:
>>> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
>>> --
>>> v3->v4:
>>> 1. remove mutex for link update, as it is unnecessary and can be replaced
>>> by atomic operations.
>>> --
>>> v4->v5:
>>> 1. fix error retval check on cmpxhcg
>>>
>>> D. Wythe (2):
>>>    netfilter: bpf: support prog update
>>>    selftests/bpf: Add netfilter link prog update test
>>>
>>>   net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>>>   .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>>>   .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>>>   3 files changed, 141 insertions(+), 16 deletions(-)
>>>   create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>>>   create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
>>>
>> It seems this patch has been forgotten, hopefully this answer
>> will give it more visibility.
>>
>> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
>> with bpfilter and everything seems alright.
> Just post it without RFC tag.

Glad to know that, I will send a formal version soon.

D. Wythe

D. Wythe Feb. 20, 2024, 7:19 a.m. UTC | #5

On 2/15/24 12:10 AM, Quentin Deslandes wrote:
> On 2024-01-02 07:11, D. Wythe wrote:
>> From: "D. Wythe" <alibuda@linux.alibaba.com>
>>
>> This patches attempt to implements updating of progs within
>> bpf netfilter link, allowing user update their ebpf netfilter
>> prog in hot update manner.
>>
>> Besides, a corresponding test case has been added to verify
>> whether the update works.
>> --
>> v1:
>> 1. remove unnecessary context, access the prog directly via rcu.
>> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
>> 3. check the dead flag during the update.
>> --
>> v1->v2:
>> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
>> --
>> v2->v3:
>> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
>> --
>> v3->v4:
>> 1. remove mutex for link update, as it is unnecessary and can be replaced
>> by atomic operations.
>> --
>> v4->v5:
>> 1. fix error retval check on cmpxhcg
>>
>> D. Wythe (2):
>>    netfilter: bpf: support prog update
>>    selftests/bpf: Add netfilter link prog update test
>>
>>   net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>>   .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>>   .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>>   3 files changed, 141 insertions(+), 16 deletions(-)
>>   create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>>   create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
>>
> It seems this patch has been forgotten, hopefully this answer
> will give it more visibility.
>
> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
> with bpfilter and everything seems alright.
>
> Thanks,
> Quentin

Thanks for your testing. I will send  out a formal version soon.

Best wishes,
D. Wythe